openstack/ansible-hardening
Code Issues Proposed changes

Enable ntp client functionality with chronyd

Browse Source 
Using 'bindaddress' in the /etc/chrony/chrony.conf disables both
client and server ntp functionality as it cannot get the ntp
responses from peer servers.  The default install will leave the
servers unsynced with an ntp source causing them to skew over
time and eventually break services that rely on synced time.
Setting 'port 0' will disable the server functionality.  Using
'bindcmdaddress' will still chronc<->chronyd communictions over
localhost only.  This should allow client functionality and
disable server functionality.

Change-Id: Ie9b6e73333d9469a17e4cee06f21aa99b2b3df7e
Closes-Bug: #1656086
This commit is contained in:
Shannon Mitchell 2017-02-23 15:00:02 -06:00 committed by Major Hayden
parent 2e5fe3b038
commit 4cb2fa4eaa
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
templates/chrony.conf.j2
View File

@ -96,8 +96,9 @@ rtconutc
{% if security_ntp_bind_local_interfaces_only | bool %} {% if security_ntp_bind_local_interfaces_only | bool %}
# Listen for NTP requests only on local interfaces. # Listen for NTP requests only on local interfaces.
bindaddress 127.0.0.1 port 0
bindcmdaddress 127.0.0.1
{% if not security_disable_ipv6 | bool %} {% if not security_disable_ipv6 | bool %}
bindaddress ::1 bindcmdaddress ::1
{% endif %} {% endif %}
{% endif %} {% endif %}